An SBOM shows which components are included in an application. Even if you use standardized formats like CycloneDX or SPDX, the content can vary depending on which tool is used to generate the SBOM. Two different tools can therefore give different levels of detail and different data quality, despite formally following the same standard.
SBOM minimum requirements – Minimum Elements
In the USA, NTIA (National Telecommunications and Information Administration)1, as part of presidential order EO 14028, has formulated guidelines for what an SBOM should contain at minimum.
These are called Minimum Elements and can for example require that fields such as name, version and supplier be filled in in a certain way. The purpose is to ensure consistent and usable content that not only follows a format, but also meets a minimum level of data quality.
More information can be found on the page What are Minimum Elements?.
Why data quality matters
If the fields in the SBOM are incorrect or incomplete – for example if component names, versions or licenses are not clearly specified – the analysis loses much of its value. It becomes difficult to find relevant security risks and insecure dependencies in the software.
This can lead to vulnerabilities remaining undetected or incorrect decisions being made regarding updates and purchases.
Policies for internal "compliance"
To counteract these problems, you can introduce internal policies that set requirements for what information must always be included in an SBOM.
If suppliers only say they "have an SBOM" that's not enough – you should also automatically and continuously check that the SBOM actually contains the information required for a meaningful analysis.
By ensuring that name fields, version information and other key fields are correctly filled in, you can increase the reliability of both your own and others' security analyses.